Book Image

Cybersecurity Attacks ‚Äì Red Team Strategies

By : Johann Rehberger

Book Image

Cybersecurity Attacks ‚Äì Red Team Strategies

By: Johann Rehberger

Overview of this book

It's now more important than ever for organizations to be ready to detect and respond to security events and breaches. Preventive measures alone are not enough for dealing with adversaries. A well-rounded prevention, detection, and response program is required. This book will guide you through the stages of building a red team program, including strategies and homefield advantage opportunities to boost security. The book starts by guiding you through establishing, managing, and measuring a red team program, including effective ways for sharing results and findings to raise awareness. Gradually, you'll learn about progressive operations such as cryptocurrency mining, focused privacy testing, targeting telemetry, and even blue team tooling. Later, you'll discover knowledge graphs and how to build them, then become well-versed with basic to advanced techniques related to hunting for credentials, and learn to automate Microsoft Office and browsers to your advantage. Finally, you'll get to grips with protecting assets using decoys, auditing, and alerting with examples for major operating systems. By the end of this book, you'll have learned how to build, manage, and measure a red team program effectively and be well-versed with the fundamental operational techniques required to enhance your existing skills.

Preface

A note about terminology

Who this book is for

What this book covers?

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Section 1: Embracing the Red

Section 1: Embracing the Red

Free Chapter

Chapter 1: Establishing an Offensive Security Program

Chapter 1: Establishing an Offensive Security Program

Defining the mission – the devil's advocate

Getting leadership support

Locating a red team in the organization chart

The road ahead for offensive security

Providing different services to the organization

Additional responsibilities of the offensive program

Training and education of the offensive security team

Policies – principles, rules, and standards

Rules of engagement

Standard operating procedure

Modeling the adversary

Anatomy of a breach

Modes of execution – surgical or carpet bombing

Environment and office space

Chapter 2: Managing an Offensive Security Team

Chapter 2: Managing an Offensive Security Team

Understanding the rhythm of the business and planning Red Team operations

Managing and assessing the team

Management by walking around

Managing your leadership team

Managing yourself

Handling logistics, meetings, and staying on track

Growing as a team

Leading and inspiring the team

For the best results – let them loose!

Leveraging homefield advantage

Disrupting the purple team

Chapter 3: Measuring an Offensive Security Program

Chapter 3: Measuring an Offensive Security Program

Understanding the illusion of control

The road to maturity

Threats – trees and graphs

Defining metrics and KPIs

Test Maturity Model integration (TMMi ®)and red teaming

MITRE ATT&CK™ Matrix

Remembering what red teaming is about

Chapter 4: Progressive Red Teaming Operations

Chapter 4: Progressive Red Teaming Operations

Exploring varieties of cyber operational engagements

Cryptocurrency mining

Red teaming for privacy

Red teaming the red team

Targeting the blue team

Leveraging the blue team's endpoint protection as C2

Social media and targeted advertising

Targeting telemetry collection to manipulate feature development

Attacking artificial intelligence and machine learning

Operation Vigilante – using the red team to fix things

Emulating real-world advanced persistent threats (APTs)

Performing tabletop exercises

Section 2: Tactics and Techniques

Section 2: Tactics and Techniques

Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases

Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases

Understanding attack and knowledge graphs

Graph database basics

Building the homefield graph using Neo4j

Exploring the Neo4j browser

Creating and querying information

Chapter 6: Building a Comprehensive Knowledge Graph

Chapter 6: Building a Comprehensive Knowledge Graph

Technical requirements

Case study – the fictional Shadow Bunny corporation

Mapping out the cloud!

Importing cloud assets

Loading CSV data into the graph database

Adding more data to the knowledge graph

Augmenting an existing graph or building one from scratch?

Chapter 7: Hunting for Credentials

Chapter 7: Hunting for Credentials

Technical requirements

Clear text credentials and how to find them

Leveraging indexing techniques to find credentials

Hunting for ciphertext and hashes

Chapter 8: Advanced Credential Hunting

Chapter 8: Advanced Credential Hunting

Technical requirements

Understanding the Pass the Cookie technique

Credentials in process memory

Abusing logging and tracing to steal credentials and access tokens

Windows Credential Manager and macOS Keychain

Using optical character recognition to find sensitive information in images

Exploiting the default credentials of local admin accounts

Phishing attacks and credential dialog spoofing

Performing password spray attacks

Chapter 9: Powerful Automation

Chapter 9: Powerful Automation

Technical requirements

Understanding COM automation on Windows

Achieving objectives by automating Microsoft Office

Automating and remote controlling web browsers as an adversarial technique

Chapter 10: Protecting the Pen Tester

Chapter 10: Protecting the Pen Tester

Technical requirements

Locking down your machines (shields up)

Improving documentation with custom Hacker Shell prompts

Monitoring and alerting for logins and login attempts

Chapter 11: Traps, Deceptions, and Honeypots

Chapter 11: Traps, Deceptions, and Honeypots

Technical requirements

Actively defending pen testing assets

Understanding and using Windows Audit ACLs

Notifications for file audit events on Windows

Building a Homefield Sentinel – a basic Windows Service for defending hosts

Monitoring access to honeypot files on Linux

Alerting for suspicious file access on macOS

Chapter 12: Blue Team Tactics for the Red Team

Chapter 12: Blue Team Tactics for the Red Team

Understanding centralized monitoring solutions that blue teams leverage

Using osquery to gain insights and protect pen testing assets

Leveraging Filebeat, Elasticsearch, and Kibana

Assessments

Another Book You May Enjoy

Another Book You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Chapter 3

The most useful fields will enable better insights into common vulnerabilities and exploitation patterns, as well as support reporting and communicating findings with other stakeholders. The following are some useful metadata fields for findings:
1. Security Cause (CWE, CAPEC, and the MITRE ATT&CK tactic and technique)
2. Category, as per STRIDE
3. Security Severity (such as Critical, High, Medium, and Low)
4. CVSS Scoring and CVSS Vector
5. Asset Owner or Team
Qualitative measures are derived via a subjective insight as part of an expert opinion. They typically use an ordinal scoring system that cannot be leveraged easily using math. Quantitative measures are based on numbers, probabilities, and calculations that are done through mathematics. Cybersecurity today typically operates based upon qualitative measurements and ordinal scales, which is not ideal.
There are multiple tools and techniques that can be used to visualize attack graphs. For presentations and...